To achieve this you need to setup Bypass NAT and attach it to your ACL
I did this by doing the following.
I first setup my ACL so that i had access to the local network when on the VPN
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
Make sure to add the deny statement first.
I also added a 3rd access-list number 120 for matching ip address's for the route-map i was about to create
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
Once i had this in place i setup a Route-map and named it Bypass-NAT
route-map Bypass-NAT deny 10
match ip address 120
!
route-map Bypass-NAT permit 20
match ip address 120
!
route-map Bypass-NAT permit 20
Once i saved all the above settings i then added two more extendable entries into my firewall as per below
ip nat inside source static tcp 192.168.2.120 5800 122.***.***.*** 5800 route-map Bypass-NAT extendable
ip nat inside source static tcp 192.168.2.120 5900 122.***.***.*** 5900 route-map Bypass-NAT extendable
ip nat inside source static tcp 192.168.2.120 5900 122.***.***.*** 5900 route-map Bypass-NAT extendable
I added in my route-map for this to be accepted you have to put in your external IP, once you have put in the rules connect to your VPN and try to connect to the server check to see if this works, then also disconnect and try connecting back to the server but this time using your external IP address. the above rule is for me to connect to my laptop using VNC which works on the private IP when on the VPN and also the Public IP when im not on the VPN.
I have also used these settings on my work Cisco 881 Router.
No comments:
Post a Comment